Detecting indicators of deception in emulated monitoring systems

Abstract

There has been a proliferation of cyber attacks in the form of malware manifestations, Botnet attacks and intruder access to unauthorized systems due to a larger attack surface available to threat actors. Security researchers leverage computer systems to monitor and analyze security threats in order to secure their data. Some of the security tools employed by security analysts are Honeypots, virtual machines, sandboxes and debuggers referred to as emulated monitoring systems (EMS). However, threat actors are working hard at reducing the efficacy of EMS by exploiting the inherent limitations of these security tools. They have employed various detection techniques to reveal EMS artifacts referred to as indicators of deception. In this paper, we investigate the level of EMS evasive measures and provide a taxonomy on the indictors of deception in EMS to gain an insight into the broad range of detection vectors available to threat actors. This would enhance EMS as a formidable weapon in the continuing struggle against threat actors, resulting in an improved detection of advanced malware samples and higher detection of intrusions.